'\" t
.\"     Title: IPSEC_SHOWHOSTKEY
.\"    Author: Paul Wouters
.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/>
.\"      Date: 12/16/2012
.\"    Manual: Executable programs
.\"    Source: libreswan
.\"  Language: English
.\"
.TH "IPSEC_SHOWHOSTKEY" "8" "12/16/2012" "libreswan" "Executable programs"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ipsec_showhostkey \- show host\*(Aqs authentication key
.SH "SYNOPSIS"
.HP \w'\fBipsec\fR\ 'u
\fBipsec\fR \fIshowhostkey\fR [\-\-ipseckey] [\-\-left] [\-\-right] [\-\-dump] [\-\-verbose] [\-\-version] [\-\-list] [\-\-gateway\ \fIgateway\fR] [\-\-precedence\ \fIprecedence\fR] [\-\-dhclient] [\-\-file\ \fIsecretfile\fR] [\-\-keynum\ \fIcount\fR] [\-\-id\ \fIidentity\fR]
.SH "DESCRIPTION"
.PP
\fIShowhostkey\fR
outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in
/etc/ipsec\&.secrets\&. In general only the super\-user can run this command, since only he can read
\fIipsec\&.secrets\fR\&.
.PP
The
\fB\-\-left\fR
and
\fB\-\-right\fR
options cause the output to be in
\fBipsec.conf\fR(5)
format, as a
\fBleftrsasigkey\fR
or
\fBrightrsasigkey\fR
parameter respectively\&. Generation information is included if available\&. For example,
\fB\-\-left\fR
might give (with the key data trimmed down for clarity):
.sp
.if n \{\
.RS 4
.\}
.nf
  # RSA 2048 bits   xy\&.example\&.com   Sat Apr 15 13:53:22 2000
  leftrsasigkey=0sAQOF8tZ2\&.\&.\&.+buFuFn/
.fi
.if n \{\
.RE
.\}
.PP
The
\fB\-\-ipseckey\fR
option causes the output to be in opportunistic\-encryption DNS IPSECKEY record format (RFC 4025)\&. A gateway can be specified with the
\fB\-\-gateway\fR, which currently supports IPv4 and IPv6 addresses\&. The host name is the one included in the key information (or, if that is not available, the output of
\fBhostname\ \&\-\-fqdn\fR), with a
\fB\&.\fR
appended\&. For example,
\fB\-\-ipseckey \-\-gateway 10\&.11\&.12\&.13\fR
might give (with the key data trimmed for clarity):
.sp
.if n \{\
.RS 4
.\}
.nf
      IN    IPSECKEY  10 1 2 10\&.11\&.12\&.13  AQOF8tZ2\&.\&.\&.+buFuFn/"
.fi
.if n \{\
.RE
.\}
.PP
The
\fB\-\-version\fR
option causes the version of the binary to be emitted, and nothing else\&.
.PP
The
\fB\-\-verbose\fR
may be present one or more times\&. Each occurance increases the verbosity level\&.
.PP
The
\fB\-\-dhclient\fR
option cause the output to be suitable for inclusion in
\fBdhclient.conf\fR(5)
as part of configuring WAVEsec\&. See <\m[blue]\fBhttp://www\&.wavesec\&.org\fR\m[]>\&.
.PP
Normally, the default key for this host (the one with no host identities specified for it) is the one extracted\&. The
\fB\-\-id\fR
option overrides this, causing extraction of the key labeled with the specified
\fIidentity\fR, if any\&. The specified
\fIidentity\fR
must
\fIexactly\fR
match the identity in the file; in particular, the comparison is case\-sensitive\&.
.PP
There may also be multiple keys with the same identity\&. All keys are numbered based upon their linear sequence in the file (including all include directives)
.PP
The
\fB\-\-file\fR
option overrides the default for where the key information should be found, and takes it from the specified
\fIsecretfile\fR\&.
.SH "DIAGNOSTICS"
.PP
A complaint about \(lqno pubkey line found\(rq indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that
\fIshowhostkey\fR
needs\&.
.SH "FILES"
.PP
/etc/ipsec\&.secrets
.SH "SEE ALSO"
.PP
ipsec\&.\fBsecrets\fR(5), ipsec\&.\fBconf\fR(5),
\fBipsec_rsasigkey\fR(8)
.SH "HISTORY"
.PP
Written for the Linux FreeS/WAN project <\m[blue]\fBhttp://www\&.freeswan\&.org\fR\m[]> by Henry Spencer\&. Updated by Paul Wouters for the IPSECKEY format\&.
.SH "BUGS"
.PP
Arguably, rather than just reporting the no\-IN\-KEY\-line\-found problem,
\fIshowhostkey\fR
should be smart enough to run the existing key through
\fIrsasigkey\fR
with the
\fB\-\-oldkey\fR
option, to generate a suitable output line\&.
.PP
The
\fB\-\-id\fR
option assumes that the
\fIidentity\fR
appears on the same line as the
\fB:\ \&RSA\ \&{\fR
that begins the key proper\&.
.SH "AUTHOR"
.PP
\fBPaul Wouters\fR
.RS 4
placeholder to suppress warning
.RE
